InfoSec Handlers Diary Blog

Today, October 21st, marks the one year anniversary of the DDOS attack on Dyn. The attack impacted Dyn's DNS service, and caused degradation, or inavailability of several popular websites, including amazon.com. Airbnb, BBC, CNN, Paypal and many others. The attack was attributed to the Mirai botnet of compromised Internet of Things (IoT) devices, but despite numerous investigations, the attack was not definitively attributed to any one perpetrator or group. It did, however, highlight the fragility of the underlying Internet infrastructure, and sent a lot of service providers on a quest to shore up their pieces of that infrastructure.

Typically I have seen combinations of a few approaches. Somehave added extra capacity. Others have added geo-redundancy. Still others have added or increased their ability to shed DDOS traffic.

What, if any, has your ISP done to minimize the impact of a DDOS against its infrastructure?

Cisco has updated their advisory from earlier in the week for CVE-2017-13082, Key Reinstallation Attacks, refered to as KRACKs. It appears the original updates did not completely address the CVE. New updates are in the works. No ETA was given for the new updates.

"NOTE: Additional testing performed on October 20th, 2017 resulted in the discovery that the software fixes for CVE-2017-13082 on Cisco Access Points running Cisco IOS Software may not provide complete protection. Cisco is working on new, complete fixes for these devices."

YARA is a tool designed to help malware researchers identify and classify malware samples. It's been called the pattern-matching Swiss Army knife for security researchers .

Yarascan is a volatility plugin that scan a memory image for yara signature.Yaracan can be uses with rule file or you can define what are you looking for on the fly.In this diary I am not going to discuss how to write yara rules.

In this example yarascan will search memory.img for sigantures defined in Stuxnet.yar file

vol.py -f memory.img yarascan --yara-file=stuxnet.yar

And here is the output , it will show the name of the rule ,the memory address ,process name and process ID.